image
While ethical hacking is by no means a new or groundbreaking practice, the scale at which organizations and individuals are undertaking such initiatives continues to intensify, especially considering recent events such as the log4j vulnerability. Traditionally, ethical hacking is undertaken by organizations who are looking to uncover security gaps which exist within their corporate network and on company devices. It is a process which can help identify areas in need of immediate patching or remediation, ultimately reducing attack surface and keeping company data safe from ill-intended attackers. However, this is only one advantage to ethical hacking. Another benefit is the education and upskilling of cybersecurity professionals. As someone who has spent the last two decades creating content to help educate the wider cybersecurity community on the latest risks and threats, I can honestly say that one of the biggest challenges that persists in our industry is continuing to accelerate the learning path of cybersecurity professionals, beyond university and self-education. The reality is that cybersecurity textbooks become outdated almost immediately. New technologies with unique security controls emerge and cybercriminals continue to grow in number and become more discrete and targeted. That is why we must constantly learn and upskill ourselves to be able to defend organizations against these attackers and this is where the gamification of ethical hacking can come into play….

Source

image
Researchers discovered 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors, most of which they’ve attributed to inherent design flaws in equipment and a lax approach to security and risk management that have been plaguing the industry for decades, they said. The vulnerabilities–found in devices by reputed vendors Honeywell, Emerson, Motorola, Siemens, JTEKT, Bentley Nevada, Phoenix Contact, Omron, Yogogawa as well as an unnamed manufacturer–vary in terms of their characteristics and what they allow threat actors to do, according to the research from Forescout’s Vedere Labs. However, overall the “impact of each vulnerability is high dependent on the functionality each device offers,” according to a blog post about the flaws published Tuesday. Researchers broke down the type of flaw that they found in each of the products into four basic categories: insecure engineering protocols; weak cryptography or broken authentication schemes; insecure firmware updates; or remote code execution via native functionality. Among the activities that threat actors can engage in by exploiting the flaws on an affected device include: remote code execution (RCE), with code executed in different specialized processors and different contexts within a processor; denial of service (DoS) that can take a device completely offline or block access to a certain function; file/firmware/configuration manipulation that allows an attacker to change important aspects of a device;…

Source

image
An advanced persistent threat (APT) group, dubbed ToddyCat, is believed behind a series of attacks targeting Microsoft Exchange servers of high-profile government and military installations in Asia and Europe. The campaigns, according to researchers, began in December 2020, and have been largely poorly understood in their complexity until now. “The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443,” wrote Giampaolo Dedola security researcher at Kaspersky, in a report outlining the APT. Researchers said ToddyCat a is relatively new APT and there is “little information about this actor.” The APT leverages two passive backdoors within the Exchange Server environment with malware called Samurai and Ninja, which researchers say are used by the adversaries to take complete control of the victim’s hardware and network. The Samurai malware was a part of a multi-stage infection chain initiated by the infamous China Chopper and relies on web shells to drop exploits on the selected exchange server in Taiwan and Vietnam from December 2020, reports Kaspersky. The researchers stated that the malware “arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network.” In some cases, they said, the Samurai backdoor lays the path to launch another malicious…

Source

image
We have read enough and more news in recent times on the surge in cyberattacks. It is crystal clear that attackers are not leaving out even the tiniest of security loopholes and are coming up with smarter ways to invade our IT network. Vulnerability management is the most crucial cyber defense process and has remained nearly the same over the last two decades. IT security teams are struggling to reduce the risk exposure and prevent cyberattacks because of the lack of this innovation. Today’s modern attack surface needs a next-gen, advanced vulnerability management approach to deal with the complex, ever-evolving attack surfaces and to curb cyberattacks. Why Conventional Vulnerability Management is not the Best-fit for Modern Security Landscape Vulnerabilities beyond CVEs are overlooked. In the traditional vulnerability management process, the definition of a vulnerability is straightforward, “A CVE or a Software Vulnerability.” CVEs are important to be managed; however, it is not sufficient to deal with the complex attack surface. Numerous security risks exist like a poorly configured setting, asset exposures, deviation in security controls, missing security patches, and security posture anomalies. These security risks present the same threat as software vulnerabilities and must be managed accordingly Lack of integrated remediation controls. Most of the traditional vulnerability management tools in the market do not come with integrated patching to remediate…

Source

image
An agent of the Kazakhstan government has been using enterprise-grade spyware against domestic targets, according to Lookout research published last week. The government entity used brand impersonation to trick victims into downloading the malware, dubbed “Hermit.” Hermit is an advanced, modular program developed by RCS Lab, a notorious Italian company that specializes in digital surveillance. It has the power to do all kinds of spying on a target’s phone – not just collect data, but also record and make calls. The timing of this spying operation holds extra significance. In the first week of 2022, anti-government protests were met with violent crackdowns across Kazakhstan. 227 people died in all, and nearly 10,000 were arrested. Four months later is when researchers discovered the latest samples of Hermit making rounds. The Intrusion How do you get a target to download their own spyware? In this campaign, the perpetrators use OPPO – Guangdong Oppo Mobile Telecommunications Corp., Ltd – a Chinese mobile and electronics manufacturer – as its ploy to earn trust among targets. According to researchers, agents working on the behalf of the government send SMS messages purporting to come from OPPO, which is actually a maliciously hijacked link to the company’s official Kazakh-language support page: http[://]oppo-kz[.]custhelp[.]com. (At the time of the report’s publication, that support page had gone offline.) In some instances, the attackers also impersonate Samsung and Vivo,…

Source

image
Researchers are warning attackers can abuse Microsoft Office 365 functionality to target files stored on SharePoint and OneDrive in ransomware attacks. Those files, stored via “auto-save” and backed-up in the cloud, typically leave end users with the impression data is shielded from a ransomware attack. However, researchers say that is not always the case and files stored on SharePoint and OneDrive can be vulnerable to a ransomware attack. The research comes from Proofpoint, which lays out what it say is “potentially dangerous piece of functionality” in a report released last week. “Proofpoint has discovered a potentially dangerous piece of functionality in Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker,” according to researchers. How the Attack Chain Works The attack chain assumes the worst and starts with an initial compromise of an Office 365 user’s account credentials. This leads to an account takeover, then discovery of data within the SharePoint and OneDrive environment and eventually a breach of data and ransomware attack. Why this is a big deal, argues Proofpoint, is that tools such as cloud backups via Microsoft’s “auto-save” feature have been part of a best-practices for preventing a ransomware attack. Should data be locked-up on an endpoint, there would be a cloud backup to save the day. Configuring how…

Source

image
Attackers are using an oft-used and still effective lure to steal credentials to key Microsoft apps by sending emails notifying potential victims that they have a voicemail message, researchers have found. A team from Zscaler ThreatLabZ has been monitoring a campaign since May that targets key vertical industries in the United States with “malicious voicemail-notification-themed emails in an attempt to steal their Office365 and Outlook credentials,” researchers said in a blog post published recently. Both the emails and the credential-stealing page appear to be coming from legitimate entities, tactics that aim to dupe victims into falling for the ploy, they said. In fact, Zscaler itself was one of the organizations targeted in the campaign, which researchers said is similar to one that ThreatLabZ discovered in July 2020. This gave ThreatLabZ particular insight into how the campaign works. Other victims of the latest campaign include organizations in specific U.S. verticals, including software security, the military, security solution providers, healthcare and pharmaceutical, and the manufacturing supply chain, researchers said. While the tactics in the campaign are far from novel, threat actors appear to be taking an “if it ain’t broke, don’t fix it” approach to stealing credentials as a way to access corporate networks, noted one security professional. The sad fact is, they still work, and as long as that’s the case, attackers will still leverage them, Erich Kron, security…

Source

image
Check out this handmade sign posted to the front door of a shuttered Jimmy John's sandwich chain shop in Missouri last week. See if you can tell from the store owner's message what happened. If you guessed that someone in the Jimmy John's store might have fallen victim to a Business Email Compromise (BEC) or "CEO fraud" scheme — wherein the scammers impersonate company executives to steal money — you'd be in good company. In fact, that was my initial assumption when a reader in Missouri shared this photo after being turned away from his favorite local sub shop. But a conversation with the store's owner Steve Saladin brought home the truth that some of the best solutions to fighting fraud are even more low-tech than BEC scams. Visit any random fast-casual dining establishment and there's a good chance you'll see a sign somewhere from the management telling customers their next meal is free if they don't receive a receipt with their food. While it may not be obvious, such policies are meant to deter employee theft. The idea is to force employees to finalize all sales and create a transaction that gets logged by the company's systems. The offer also incentivizes customers to help keep employees honest by reporting when they don't get a receipt with their food, because employees can often conceal transactions by canceling them before they're completed. In that scenario, the employee gives the customer their food and any change, and then pockets the rest. You can probably…

Source

image
Researchers have identified a small yet potent China-linked APT that has flown under the radar for nearly a decade running campaigns against government, education and telecommunication organizations in Southeast Asia and Australia. Researchers from SentinelLabs said the APT, which they dubbed Aoqin Dragon, has been operating since at least 2013. The APT is “a small Chinese-speaking team with potential association to [an APT called] UNC94,” they reported. Researchers say one of the tactics and techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to entice victims to download them. “Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,” researchers wrote. Aoqin Dragon’s Evolving Stealth Tactics Part of what’s helped Aoqin Dragon stay under the radar for so long is that they’ve evolved. For example, the means the APT used to infect target computers has evolved. In their first few years of operation, Aoqin Dragon relied on exploiting old vulnerabilities – specifically, CVE-2012-0158 and CVE-2010-3333 – which their targets might not have yet patched. Later, Aoqin Dragon created executable files with desktop icons that made them appear to look like Windows folders or antivirus software. These programs were actually malicious droppers which planted backdoors and then established connections back to the attackers’ command-and-control (C2) servers. Since 2018, the group has been utilizing a…

Source

image
An advanced persistent threat group, with ties to Iran, is believed behind a phishing campaign targeting high-profile government and military Israeli personnel, according to a report by Check Point Software. Targets of the campaign included a senior leadership in the Israeli defense industry, the former U.S. Ambassador to Israel and the former Deputy Prime Minister of Israel. The goal of the campaign, the researchers said, was to obtain personal information from targets. Fake Emails from Legit Addresses One of the targets, according to Check Point, is Tzipi Livni, Israel’s former foreign minister, minister of justice and vice prime minister. Researchers believe that the target was selected because of the high-caliber list of contacts in her address book. Not long ago she received an email from, according to the researchers, “a well-known former Major General in the IDF who served in a highly sensitive position.” The sender address was not spoofed – it was the same domain she’d corresponded with before. Translated from Hebrew, the message read: Hello my dear friends, Please see attached article to summarize the year. ((eyes only)) __Of course I don’t want it to be distributed, because it is not the final version. I would be happy to receive remarks of any kind. Have a great rest of the day. The message contained a link. Livni delayed in clicking the link, prompting several follow-up emails. Good morning, I haven’t heard from you. Some friends sent me remarks. Your remarks…

Source